融合宏观与微观的双层威胁分析模型

doi:10.11959/j.issn.2096-109x.2021015

摘要/Abstract

摘要：

针对现有威胁分析模型无法兼顾高级安全威胁的宏观发展趋势及微观传播路径的问题，建立了一种双层威胁分析模型TL-TAM。模型上层刻画严重程度由低到高的威胁发展趋势，下层融合技术漏洞攻击、社会工程攻击及网络扫描攻击，刻画威胁传播路径。据此，提出了威胁预测分析算法。实验结果表明，模型能够对威胁传播进行多层面综合分析，并且克服了基于攻击图的威胁分析模型局限于技术漏洞攻击的缺陷，更加适用于高级安全威胁的动态跟踪分析。

关键词: 双层模型, 传播路径, 社会工程, 网络扫描

Abstract:

The existing threat analysis models failed to comprehensively analyze the propagation of advanced security threats integrating the threat development trend and propagation path.In order to solve the problem, a two-layer threat analysis model named TL-TAM was established.The upper layer of the model depicted the threat development trend.The lower layer depicted the threat propagation path considering social engineering and networks can.Based on the model, prediction algorithm of threat development was proposed.The experimental result shows that the model can comprehensively analyze the threat propagation at multiple levels, overcome the defect that the threat analysis model based on attack graph is limited to technical vulnerability attack, and is more suitable for dynamic tracking analysis of advanced security threats.

Key words: two-layer model, propagation path, social engineering, network scan

中图分类号:

TP393.08

孙澄, 胡浩, 杨英杰, 张红旗. 融合宏观与微观的双层威胁分析模型[J]. 网络与信息安全学报, 2021, 7(1): 143-156.

Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG. Two-layer threat analysis model integrating macro and micro[J]. Chinese Journal of Network and Information Security, 2021, 7(1): 143-156.

图/表 14

图1

表1

图2

表2

图3

图4

表3

表4

表5

图5

图6

图7

表6

表7

参考文献 17

[1]	赵志岩, 纪小默 . 智能化网络安全威胁感知融合模型研究[J]. 信息网络安全, 2020,20(4): 87-93.
	ZHAO Z Y , JI X M . Research on the intelligent fusion model of network security situation awareness[J]. Netinfo Security, 2020,20(4): 87-93.
[2]	金辉, 张红旗, 张传富 ,等. 复杂网络中基于 QRD 的主动防御决策方法研究[J]. 信息网络安全, 2020,20(5): 72-82.
	JIN H , ZHANG H Q , ZHANG C F ,et al. Research on active defense decision-making method based on QRD in complex network[J]. Netinfo Security, 2020,20(5): 72-82.
[3]	LI M , HUANG W , WANG Y ,et al. The study of APT attack stage model[C]// 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS). 2016.
[4]	CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// IFIP International Conference on Communications and Multimedia Security. 2014: 63-72.
[5]	USSATH M , JAEGER D , CHENG F ,et al. Advanced persistent threats:behind the scenes[C]// 2016 Annual Conference on Information Science and Systems (CISS). 2016: 181-186.
[6]	贺诗洁, 黄文培 . APT 攻击详解与检测技术[J]. 计算机应用, 2018,38(S2): 170-173.
	HE S J , HUANG W P . APT attacks details and detection technology[J]. Journal of Computer Applications, 2018,38(S2): 170-173.
[7]	HUTCHINS E M , CLOPPERT M J , AMIN R M . Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J]. Leading Issues in Information Warfare ＆ Security Research, 2011,1(1): 80.
[8]	SWILER L P , PHILLIPS C . A graph-based system for network-vulnerability analysis[R]. 1998.
[9]	吴迪, 连一峰, 陈恺 ,等. 一种基于攻击图的安全威胁识别和分析方法[J]. 计算机学报, 2012,35(9): 1938-1950.
	WU D , LIAN Y F , CHEN K ,et al. A security threats identification and analysis method based on attack graph[J]. Chinese Journal of Computers, 2012,35(9): 1938-1950.
[10]	WU S , ZHANG Y , CAO W ,et al. Network security assessment using a semantic reasoning and graph based approach[J]. Computers ＆ Electrical Engineering, 2017: 96-109.
[11]	WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts[J]. Computer communications, 2006,29(15): 2917-2933.
[12]	AHAMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[J]. Computer Networks, 2011,55(9): 2221-2240.
[13]	刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144.
	LIU W X , ZHENG K F , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144.
[14]	杨英杰, 冷强, 常德显 ,等. 基于属性攻击图的网络动态威胁分析技术研究[J]. 电子与信息学报, 2019,41(8): 1838-1846.
	YANG Y J , LENG Q , CHANG D X ,et al. Research on network dynamic threat analysis technology based on attribute attack graph[J]. Technology Based on Attribute Attack Graph Journal of Electronics ＆ Information Technology, 2019,41(8): 1838-1846.
[15]	杨英杰, 冷强, 潘瑞萱 ,等. 基于属性攻击图的动态威胁跟踪与量化分析技术研究[J]. 电子与信息学报, 2019,41(9): 2172-2179.
	YANG Y J , LENG Q , PAN R X ,et al. Research on dynamic threat tracking and quantitative analysis[J]. Technology Based on Attribute Attack Graph Journal of Electronics ＆ Information Technology, 2019,41(9): 2172-2179.
[16]	胡浩, 叶润国, 张红旗 ,等. 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017,38(10): 122-134.
	HU H , YE R G , ZHANG H Q ,et al. Quantitative method for network security situation based on attack prediction[J]. Journal on Communications, 2017,38(10): 122-134.
[17]	樊雷, 余江明, 雷英杰 . 面向APT攻击的分层表示模型[J]. 计算机工程, 2018,44(8): 155-160.
	FAN L , YU J M , LEI Y J . Hierarchical representation model for APT attack[J]. Computer Engineering, 2018,44(8): 155-160.

攻击	攻击子类	脆弱性	脆弱性存在部位（组件）	前提条件
社会工程攻击	鱼叉攻击、水坑攻击	人性弱点	操作人员	获取信任关系
网络扫描	服务扫描、端口扫描、漏洞扫描	—	—	控制扫描发起设备

对象属性名	定义域	值域	含义
has	Device	Component	设备实例Indv_Dev拥有组件实例Indv_Cmpt
hasAccess	Device	Component	设备实例Indv_Dev拥有组件实例Indv_Cmpt的访问权限
exist	Component	Vulnerability	组件实例Indv_Cmpt存在脆弱性实例Indv_Optr
exploit	Attack	Vulnerability	攻击实例Indv_Att利用脆弱性实例Indv_Optr
hasPrivilegeUser	Device	Device	设备实例Indv_Dev拥有组件实例Indv_Cmpt的用户权限
hasPrivilegeRoot	Device	Device	设备实例Indv_Dev拥有组件实例Indv_Cmpt的完全控制权限
hasCompromised	Device	Component	设备实例Indv_Dev损害了组件实例Indv_Cmpt
trustedBy	Device	Operator	设备实例Indv_Dev受操作管理人员实例Indv_Optr信任
launchAttack_{name}_{vul}	Device	Device	设备实例Indv_Dev向组件实例Indv_Cmpt发起攻击
注：“launch Attack”命名格式中，name为攻击名称，vul为脆弱性，技术漏洞以cve编号格式进行标识，人员弱点采取自编号模式，以“hw_code”格式标识，当攻击属于网络扫描类时，vul以“null”标识。

Device	Component	Vulnerability	ModifiedScore	Attack
Firewall 4	Management Software(MS)	CVE-2019-1642 （恶意脚本注入）	6.1	ScriptInjection
Admin Station 1	Google Chrome	CVE-2018-6116 （越界访问内存）	6.5	CodeExecution
Web Server 1	Apache Tomcat Native(ATN)	CVE-2018-8019 （过期证书认证）	7.4	CertAbuse
Email Server 1	Apache James JMX(JMX)	CVE-2017-12628 （本地权限提升）	7.8	PriElevation
	Apache James Server(AJS)	CVE-2015-7611 （操作系统命令注入）	8.1	CommandInjection
WorkStation 1	Microsoft outlook	CVE-2013-3870 （远程权限获取）	9.1	CodeExecution
	Operator	hw-001（安全意识薄弱）	4.0	Waterholing
WorkStation 2	MsMpEng	CVE-2017-0290（远程权限获取）	9.3	CodeExecution
File Server 1	Microsoft Windows	CVE-2019-0543 （本地权限提升）	7.8	PriElevation
Data Server 1	S-CMS	CVE-2019-6805 （SQL命令注入）	9.8	SQLInjection

From Individual	To Individual	Object Properties
Web Server	S-CMS	hasAccess(web_1,DS_1_S-CMS)
	Management Software(MS)	hasAccess(web_1, FW_4_MS)
Email Server	Operator	trustedBy(ES_1,WS_1_operator)
	Management Software(MS)	hasAccess(ES_1, FW_4_MS)
WorkStation 1	File Server	hasPrivilegeUser(WS_1,FS_1)
	WorkStation 2	hasAccess(WS_1, WS_2_MsMpEng)
WorkStation 2	File Server	hasAccess(WS_2,FS_1_windows)
	WorkStation 1	hasPrivilegeUser(WS_2, WS_1)
Admin Station	Data Server	hasPrivilegeRoot(AS_1,DS_1)
Firewall 4	Admin Station	hasAccess (FW_4,AS_1_chrome)

From Individual	To Individual	Object Properties
att	Apache Tomcat Native(ATN)	hasAccess(att, web_1_ATN)
att	Apache James Server(AJS)	hasAccess(att, ES_1_AJS)